Ok, I have released portmon 1.9, which addresses both of the security
"holes" which were brought up on bugtraq recently. Please see:
http://www.securityfocus.com/archive/82/326718
http://www.securityfocus.com/archive/1/325482
It is important to note that portmon is (and never was) installed SUID
by default, for obvious reasons. In fact, the --enable-setuid option
in the configure script printed out a nasty warning regarding the
nature of SUID programs.
So, as of version 1.8, portmon does not come with the --enable-setuid
option. If the user is hellbent on running portmon as a lower level
user, then they can chmod +s it by hand. ;]
Regarding the gobbles-esque "overflow" that was posted today (25 Jun
03), this particular bug isn't exactly exploitable and can't be used to
gain elevated privileges on the target system. As the author of the
exploit expressed to me in an email:
export USER=l33t
which create many a stress for admin if they find this in the log !
but your right, is not a M A J OR concern. thanx n1xo ! !
I would like to clarify two things about this advisory:
- This segfault has been corrected as of version 1.9. Please see
http://aboleo.net/software/portmon/downloads for updates.
- This particular bug, when "exploited" as the author suggests,
produces the following output to a portmon log:
envy:~/portmon/src$ export USER=l33t
envy:~/portmon/src$ ./portmon -c /usr/local/etc/hosts -l temp.log -d
envy:~/portmon/src$ head -1 temp.log
(Wed Jun 25 14:57:11 2003) - Portmon started by user l33t
While I find it odd that something like this might be considered to be
a security vulnerability, I should note that the $USER environment
variable is not used in any other places in the code. So while users
of portmon are encouraged to upgrade to the latest and greatest
version, anyone running portmon nonsuid (default) is not vulnerable to
local exploitation by either of these bugs.
-Nik
--
|| Nik Reiman || nik@aboleo.net || http://www.aboleo.net ||